Contents

A modern antispyware utility is a ruthless killer. The moment it sees a malicious program that matches one of its virus or spyware signatures, it terminates the process and deletes all file and Registry traces. But what if the malware is completely invisible to the antispyware program? Hackers and virus wizards don't have to go to Hogwarts for a cloak of invisibility. All they need is a little dose of rootkit magic.

On a Windows system, rootkit refers to a process that subverts the operating system to hide its activities. If an antispyware program checks for the presence of a rootkit-hidden file using ordinary Windows functions, the rootkit intercepts the function call and changes the results, eliminating any reference to the malware's protected files. Similar techniques hide Registry entries, processes, network connections, and so on.

The better antispyware and antivirus utilities don't naïvely rely on Windows to tell them what files and Registry items are present. They work below the surface to root out problems, even ones that are supposedly hidden. But if you have any doubts, if you're worried a rootkit may have slipped past your regular protection, there are plenty of free tools specifically aimed at detecting and removing rootkits.

It's completely possible for a utility to detect rootkit activity without needing any kind of signature. In simplest terms, it could first list all files that use Windows functions, then list them independently of Windows functions and look for discrepancies. But removing a rootkit found this way can be dangerous. As an analogy, suppose an alien probe has replaced your spleen with a methane micro-laser spy device that also filters out old red blood cells. Simply ripping out the device won't necessarily reconnect your spleen, and your health might suffer. By the same token, simply deleting all files that a rootkit has touched could leave a hole in the normal functioning of Windows. The free rootkit scanners deal with this problem in various ways.

RootkitRevealer (not reviewed) doesn't have to worry because it's just a reporting tool; it doesn't remove anything. AVG Anti-Rootkit and F-Secure's BlackLight (not reviewed) will remove the files they find, but only if you confirm that you understand the danger. By default, Sophos Anti-Rootkit only eliminates rootkits for which it knows safe removal procedures, but it will get rid of unknowns if you promise that you understand there could be trouble. Panda Anti-Rootkit also distinguishes known from unknown and only checks known rootkits for automatic removal. If you choose to remove unknowns, Panda Anti-Rootkit won't touch any files digitally signed by Microsoft even if they've been hidden by a rootkit. That's smartif the signature shows the file is unmodified, it can't be the perpetrator of rootkit behavior. If the signature is blown, the modified file is a danger and should be removed.

Most of these utilities seem like loss leaders, freely distributed by the vendors who hope you'll think of them when you're ready to lay down some cash for real protection. Panda's product, however, kicks things up a notch. It finds more traces than the rest, offers more detailed information, and, in my testing, was the only product that removed all the sample rootkits. That's why Panda Anti-Rootkit is our Editor's Choice among free stand-alone anti-rootkit utilities.

In this roundup:

AVG Anti-Rootkit
Grisoft's AVG Anti-Rootkit detects and disables rootkits. But it checks only files and processesnot Registry tracesit doesn't save reports of its findings, and it missed some rootkits in testing. At least it's free.

F-Secure's BlackLight
Like RootkitRevealer, BlackLight identifies hidden files by getting a list of all files visible to Windows and comparing the result with a list obtained at a lower level. This process takes a long time, much longer than either Panda's or AVG's scanner does, and it doesn't include Registry items. BlackLight reports the hidden files it found by name onlyyou get no information about the file's location. Like the AVG scanner it doesn't offer a detailed log. To remove the files it found, you tediously click on each in turn and then click the Rename button. And before it will act you must confirm that you understand removal can be dangerous. In testing it (slowly) removed five of the six samples but couldn't handle the sixth. It's no longer at the cutting edge of stand-alone anti-rootkit protection.

Panda Anti-Rootkit
Panda Anti-Rootkit digs deeper than any other anti-rootkit tool I've seen, telling you exactly what it found. For safety it won't delete files digitally signed by Microsoftsmart! And it wiped out every one of my test rootkits.

RootkitRevealer
RootkitRevealer finds files, folders, processes, and Registry data that aren't visible through normal Windows functions. It takes quite a while to enumerate all the file and Registry items, but its reports are very thorough. It may at times list valid items hidden by the operating system, and occasionally another process scanning for files can cause RKR to spew spurious results, requiring a re-scan. But there's no harm done, as RKR does not attempt to remove any files it finds.

I tested RKR with nine known rootkits, and it found every file and Registry item that I expected it to. RKR also found a couple of suspect Registry items in a System-access-only region. No other tool found these; I figure they're harmless.

RootkitRevealer is a valuable tool, but you must use it wisely. If it reports a huge number of problems, run the scan again. And bear in mind that it's strictly a reporting toolit won't remove what it finds.

Sophos Anti-Rootkit
This free app makes a useful distinction between known and unknown rootkits, though it recommends removing only known ones. But it couldn't remove every rootkit it detected. Worse, it reported success when it actually failed.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »